[PATCH] libcrypto without executable stack

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH] libcrypto without executable stack

Dirk Müller-5

Hi,

the appended patch makes libcrypto.so compile without executable stack
requirements. it should be portable accross all versions of binutils (and
doesn't affect any non-linux platform anyway).

Diffed against 0.9.8a.


Dirk

non-exec-stack.diff (216 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] libcrypto without executable stack

Mike Frysinger
On Wed, Nov 09, 2005 at 12:00:19AM +0100, Dirk Mueller wrote:
> the appended patch makes libcrypto.so compile without executable stack
> requirements. it should be portable accross all versions of binutils (and
> doesn't affect any non-linux platform anyway).

it will break non-ELF builds though (but maybe the script isnt used for
non-ELF targets so thats OK?)
-mike
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] libcrypto without executable stack

Corinna Vinschen
On Nov  9 01:19, Mike Frysinger wrote:
> On Wed, Nov 09, 2005 at 12:00:19AM +0100, Dirk Mueller wrote:
> > the appended patch makes libcrypto.so compile without executable stack
> > requirements. it should be portable accross all versions of binutils (and
> > doesn't affect any non-linux platform anyway).
>
> it will break non-ELF builds though (but maybe the script isnt used for
> non-ELF targets so thats OK?)

It's also used for Cygwin and the patch breaks the Cygwin build.


Corinna

--
Corinna Vinschen
Cygwin Project Co-Leader
Red Hat, Inc.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] libcrypto without executable stack

Dirk Müller-5
On Wednesday 09 November 2005 10:45, Corinna Vinschen wrote:

> It's also used for Cygwin and the patch breaks the Cygwin build.

I don't have a cygwin toolchain around, but can you tell me the error message
so that I can work on fixing it?

does the attached patch work?

Thanks,
Dirk

non-exec-stack.diff (236 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] libcrypto without executable stack

Corinna Vinschen
On Nov  9 13:57, Dirk Mueller wrote:
> On Wednesday 09 November 2005 10:45, Corinna Vinschen wrote:
> > It's also used for Cygwin and the patch breaks the Cygwin build.
>
> I don't have a cygwin toolchain around, but can you tell me the error message
> so that I can work on fixing it?

x86cpuid-cof.s: Assembler messages:
x86cpuid-cof.s:0: Warning: end of file not at end of a line; newline inserted
x86cpuid-cof.s:165: Error: junk at end of line, first unrecognized character is `-'

> does the attached patch work?

Yes, it works.  The resulting asm file does not contain the new .section
pseudo op.  There are two problems with this section in PE/COFF, first,
the section name must not contain a dash (for whatever reason), and
second, COFF sections have only up to two parameters as described in the
gas info pages:

  .section NAME[, "FLAGS"]
  .section NAME[, SUBSEGMENT]

Btw., the first asm message indicates that a \n is missing.  You should
add this at the end of the section string to avoid the warning.


HTH,
Corinna

--
Corinna Vinschen
Cygwin Project Co-Leader
Red Hat, Inc.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] libcrypto without executable stack

Dirk Müller-5
On Wednesday 09 November 2005 14:30, Corinna Vinschen wrote:

> Btw., the first asm message indicates that a \n is missing.  You should
> add this at the end of the section string to avoid the warning.

Ok, thanks for your help and the hint. I'd like to suggest the following patch
for inclusion into OpenSSL.


Thanks,
Dirk

non-exec-stack.diff (404 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] libcrypto without executable stack

Mike Frysinger
On Wed, Nov 09, 2005 at 02:39:47PM +0100, Dirk Mueller wrote:
> Ok, thanks for your help and the hint. I'd like to suggest the following patch
> for inclusion into OpenSSL.

thanks, we've just been forcing -Wa,--noexecstack in Gentoo ... this is much
nicer :)

btw, does x86nasm.pl need to be fixed too ?  in theory, if it was used to
generate some source files which are included in the final lib, it'll force
back in exec stack markings ...
%ifidn __OUTPUT_FORMAT__,elf
section .note.GNU-stack noalloc noexec nowrite progbits
%endif
-mike
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] libcrypto without executable stack

Dirk Müller-5
On Wednesday 09 November 2005 15:15, Mike Frysinger wrote:

> btw, does x86nasm.pl need to be fixed too ?  in theory, if it was used to
> generate some source files which are included in the final lib, it'll force
> back in exec stack markings ...

It doesn't seem to be used here. can you confirm that the stack is
nonexecutable on your platform if you apply just the patch I posted?

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] libcrypto without executable stack

Mike Frysinger
On Wed, Nov 09, 2005 at 03:21:20PM +0100, Dirk Mueller wrote:
> On Wednesday 09 November 2005 15:15, Mike Frysinger wrote:
>
> > btw, does x86nasm.pl need to be fixed too ?  in theory, if it was used to
> > generate some source files which are included in the final lib, it'll force
> > back in exec stack markings ...
>
> It doesn't seem to be used here.

i wasnt suggesting it was, just saying that 'hey, just in case, why the hell
note' :)

> can you confirm that the stack is
> nonexecutable on your platform if you apply just the patch I posted?

with openssl-0.9.8a/x86 your patch fixes GNU_STACK markings for me

x86_64/ia64 though need another fix ...
-mike
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] libcrypto without executable stack

Andy Polyakov
In reply to this post by Dirk Müller-5
> the appended patch makes libcrypto.so compile without executable stack
> requirements. it should be portable accross all versions of binutils

x86unix.pl is called to generate output suitable not only for GNU
assembler [applies to ELF, COFF and a.out targets], but even for vendor
assemblers, for example Suns. So one either have to complement it with a
way to *reliably* identify when binutils are deployed or adhere to
alternative method, such as previously suggested -Wa,--noexecstack.

> (and doesn't affect any non-linux platform anyway).

How come it turns from unsure "should be portable" to definitive
"doesn't affect" so easily:-) Indeed, "should be portable" is more like
"well, i didn't actually test every single version," right? And it's
fine! But "doesn't affect" is pretty much "i've tested every damn
non-linux platform and not single one failed" and it doesn't really win
the confidence:-)

But anyway. My vote goes to alternative method, which can be deployed as
easily as './config -Wa,--noexecstack' prior make. Because it can be
taylored to various needs/environments as easy as it can be deployed and
without headaches of cross-platform verification or running into subtle
bugs. It appears that alternatively one can throw in
-Wl,-z,-noexecstack... A.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] libcrypto without executable stack

Mike Frysinger
On Wed, Nov 09, 2005 at 05:38:39PM +0100, Andy Polyakov wrote:
> >(and doesn't affect any non-linux platform anyway).
>
> How come it turns from unsure "should be portable" to definitive
> "doesn't affect" so easily:-)

it should be portable across all ELF targets ... after all, you're just adding
an elf program header which any elf loader worth its salt would ignore if it
didnt support it

the code itself though would require GNU as ... but i havent poked through the
code before so maybe that requirement is already covered ?

> But anyway. My vote goes to alternative method, which can be deployed as
> easily as './config -Wa,--noexecstack' prior make.

or maybe add it to the default configure code as a normal check ?  i'm pretty
sure there is no case where you wouldnt want to use the flag if your toolchain
supported it
-mike
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] libcrypto without executable stack

Dirk Müller-5
In reply to this post by Andy Polyakov
On Wednesday 09 November 2005 17:38, Andy Polyakov wrote:

> > (and doesn't affect any non-linux platform anyway).
> How come it turns from unsure "should be portable" to definitive
> "doesn't affect" so easily:-)

What I tried to say was that the extra section is ignored on platforms that do
not use a recent binutils toolchain, which interpret this section
"magically".

> But anyway. My vote goes to alternative method, which can be deployed as
> easily as './config -Wa,--noexecstack' prior make. Because it can be
> taylored to various needs/environments as easy as it can be deployed and
> without headaches of cross-platform verification or running into subtle
> bugs.

Works for me as well, its kind of a brute force hammer though. In any case the
real intention is to document that libcrypto *should* work fine without
executable stack (and it does, given there is only one tiny piece of
assembler which questions the whole thing), and for that, one patch in
upstream is needed, and IMHO it should configure with non-executable stack by
default if the preconditions are met.


Dirk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] libcrypto without executable stack

Kurt Roeckx
In reply to this post by Dirk Müller-5
On Wed, Nov 09, 2005 at 12:00:19AM +0100, Dirk Mueller wrote:
>
> Hi,
>
> the appended patch makes libcrypto.so compile without executable stack
> requirements. it should be portable accross all versions of binutils (and
> doesn't affect any non-linux platform anyway).

The problem is that binutils assumes that assembler files without
that section require an executable stack, while most don't.  This
means that on all platforms that use gnu binutils something is
required for all (generated) assembler files (not created by
gcc), not just for x86.

You don't have the problem with .c files since gcc will add the
proper section if it needs to, which is in most cases.  There are
cases where gcc will generate assembler that requires an
executable stack too.

This means either patching all those generated files, or telling
the assembler (with -Wa,--noexecstack) that it shouldn't generate
an executable stack.

I would prefer the first, but I don't see how to make that
portable in an easy way.

The problem with an executable stack is probaly obvious to most
people, in case of a security bug it's ussually the most easy way
to exploit it.

The Linux kernel now has the abbility to make the stack
executable on request, specialy on hardware with the "NX" bit.
There exist patches that do not allow you to have an executable
stack.


Kurt

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] libcrypto without executable stack

Andy Polyakov
In reply to this post by Dirk Müller-5
>>>(and doesn't affect any non-linux platform anyway).
>>
>>How come it turns from unsure "should be portable" to definitive
>>"doesn't affect" so easily:-)

Do mind smilies in my previous post:-)

> What I tried to say was that the extra section is ignored on platforms that do
> not use a recent binutils toolchain, which interpret this section
> "magically".

I wouldn't hold my breath for this, as I'm rather concerned about
non-GNU tools failing to compile, than OS ELF image loader to ignore an
additional header. And indeed, Solaris 'as' for one miserably fails to
compile suggested .section directive...

>>But anyway. My vote goes to alternative method, which can be deployed as
>>easily as './config -Wa,--noexecstack' prior make. Because it can be
>>taylored to various needs/environments as easy as it can be deployed and
>>without headaches of cross-platform verification or running into subtle
>>bugs.
>
> Works for me as well, its kind of a brute force hammer though. In any case the
> real intention is to document that libcrypto *should* work fine without
> executable stack

So one can as well call it "a distinguished way to make this statement
and document it," as the line will even appear in 'openssl version -a'
output and not some place nobody looks into:-)

> and IMHO it should configure with non-executable stack by
> default if the preconditions are met.

One can drop it into ./config... A.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]